Categorization of Problem Areas


The problem areas of an AAA implementation on a switch may be categorized as follows:

  • Switch management troubleshooting

  • Identity-based Network Services (IBNSs) troubleshooting

Switch Management Troubleshooting

TACACS+ Protocol is more desirable for configuring AAA for switch management, although RADIUS and Kerberos are the other two options available. The local user database is primarily used for console authentication or as a fall-back method for Telnet or SSH access to the switch. The primary focus of this section is on configuring and troubleshooting AAA implementation using TACACS+ along with the local user database.

Table 11-3 shows AAA features introduced on different versions of the switch code.

Table 11-3. AAA Features Available Based on CatOS Release

AAA Method

CatOS 2.2-5.1

CatOS 5.1-5.4.1

CatOS 5.4.1-7.5.1

CatOS 7.5.1 and later

TACACS+ Authentication

Yes

Yes

Yes

Yes

RADIUS Authentication

No

Yes

Yes

Yes

Kerberos Authentication

No

No

Yes

Yes

Local Username Authentication/Authorization

No

No

No

Yes

TACACS+ Command Authorization

No

No

Yes

Yes

TACACS+ Exec Authorization

No

No

Yes

Yes

RADIUS Exec Authorization

No

No

Yes

Yes

Accounting - TACACS+/RADIUS

No

No

Yes

Yes

TACACS+ Enable Authorization

Yes

Yes

Yes

Yes

RADIUS Enable Authorization

No

Yes

Yes

Yes

TACACS+ Enable Authorization

No

No

Yes

Yes


Login Authentication

This section steps through the configuration and discusses some of the common issues that you may encounter, and how to troubleshoot them.

Configuration Steps

To configure AAA authentication, perform the following tasks:

Step 1.

Create local user database

If you are running CatOS version 7.5.1 or above, configure the local user database as follows:

Example 11-11. Sample Output of Local User Database

Switch> (enable) set localuser user admin password powerpass privilege 15 Switch> (enable) set localuser user basic password nonenable 

It is important to note that there are only two privilege levels (0 and 15) for the authentication of local users as shown in example 11-12, where admin has a privilege level 15 (enable access privilege), but the user basic has privilege level 0, which is exec privilege. So, when admin uses Telnet or console, it can get to the enable mode but the username basic will be in the user mode. User basic needs to know the enable password to reach the enable mode, which can be configured with the set, enable password command. The local user database can be configured as the only user authentication method, or it can be configured as a backup for the external AAA server authentication so that users are not locked out.

Step 2.

Turn on and verify the local authentication as a fallback (back door) or only method for authentication, as Example 11-12 shows.

Example 11-12. Turning on Local User Authentication

Switch> (enable) set authentication login local enable Switch> (enable) show aaa authentication Switch> (enable) 

Step 3.

Define the TACACS+ server and shared secret key on switch.

Configure the communication parameters between the switch and AAA server (TACACS+ or RADIUS) by providing the IP address and the shared secret key (optional) for encryption, as Example 11-13 shows.

Example 11-13. Configuration Required for Communicating with AAA Server

Switch> (enable) set tacacs server 10.1.1.40 Switch> (enable) set tacacs key cisco Switch> (enable) 

Step 4.

Define the AAA client on the AAA Server.

Configure switch as an AAA client on the Cisco Secure ACS by browsing to Network Configuration > Add AAA client > Add Entry (Define Switch IP address and shared secret key) > Stop/Restart the service.

Note that the Switch IP address and shared secret key must be defined on the switch.

Step 5.

Create the user database on the Cisco Secure.

After login to Cisco Secure ACS, go to User Setup > Create a user with username and password > Map the user to a group on ACS unconfigured. No special parameters need to be defined for simple user authentication to the switch.

Step 6.

Turn on TACACS+ authentication, as Example 11-14 shows.

Example 11-14. Turning on TACACS+ Authentication on the Switch

Switch> (enable) set authentication login tacacs enable Switch> (enable) 

Troubleshooting Steps

Troubleshooting authentication needs to be done on both switches, and on the TACACS+ server side. It is, however, recommended to troubleshoot the AAA issue for the switch with the CS ACS server itself. You can turn on debug with the set trace tacacs 4 on the switch. It is worth examining a successful authentication debug on the switch before you go through some of the common issues that you may encounter. Example 11-15 walks through the debug output on the switch.

Example 11-15. The debug Output for Successful User Authentication with TACACS+ protocol

Switch> (enable) set trace tacacs 4 AAA/AUTHEN: update_user user='' ruser='(null)' port='telnet146' rem_addr='10.1.1.20' authen_type=1 service=LOGIN priv=12005 Mar 26 22:10:08.510 AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=LOGIN TAC+: send AUTHEN/START packet ver=192 id=224470576 ! Opening connection with tacacs+ server TAC+: Opening TCP/IP connection to 10.1.1.40 TAC+: ver=192 id=224470576 received AUTHEN status = GETUSER2005 Mar 26 22:10:09. 520 ! Getting username input from the user AAA/AUTHEN (224470576): status = GETUSER User Access Verification Username: 2005 Mar 26 22:10:16.590 ! Got the username administrator AAA/AUTHEN: update_user user='administrator' ruser='(null)' port='telnet146' rem _addr='10.1.1.20' authen_type=1 service=LOGIN priv=12005 Mar 26 22:10:16.590 AAA/AUTHEN/CONT (224470576): continue_login2005 Mar 26 22:10:16.590 AAA/AUTHEN (224470576): status = GETUSER TAC+: send AUTHEN/CONT packet id=224470576 ! Here asking for the password TAC+: ver=192 id=224470576 received AUTHEN status = GETPASS 2005 Mar 26 22:10:17.090 AAA/AUTHEN (224470576): status = GETPASSPassword: 2005 Mar 26 22:10:19.980 AAA/AUTHEN/CONT (224470576): continue_login 2005 Mar 26 22:10:19.980 AAA/AUTHEN (224470576): status = GETPASS TAC+: send AUTHEN/CONT packet id=224470576 ! Here shows authentication successful TAC+: ver=192 id=224470576 received AUTHEN status = PASS 2005 Mar 26 22:10:20.480 AAA/AUTHEN (224470576): status = PASS Switch> (enable) 

Now take a look at some of the common problems you may encounter with the TACACS+ authentication.

  • TACACS+ server is unreachable or mismatch in the shared secret key If the TACACS+ server is unreachable or the shared secret key is mismatched between the TACACS+ server and the switch, an error message will be reported, as in Example 11-16. If an alternate method (for example, local user database) is configured as a backup method, the switch will try to authenticate the user with the backup method.

    Example 11-16. The ERROR Message When TACACS+ Server Is Unreachable

    2005 Mar 29 15:29:22.430 AAA/AUTHEN: update_user user='' ruser='(null)' port='telnet146' rem_addr='10.25. 35.229' authen_type=1 service=LOGIN priv=12005 Mar 29 15:29:22.430 AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=LOGIN TAC+: send AUTHEN/START packet ver=192 id=340001563 TAC+: no tacacs server definedTACACS: Unable to contact Server !The following line shows the ERROR message when TACACS+ server is unreachable 2005 Mar 29 15:29:22.430 AAA/AUTHEN (340001563): status = ERROR 2005 Mar 29 15:29:22.430 AAA/AUTHEN/START (340001563): failed to authenticate 2005 Mar 29 15:29:22.430 %AAA: enable: Internal error. Trying Local Login Authentication 

  • Bad Username or Password If the username or password is invalid, then authentication will fail. This is different than an error message, as we have seen earlier. For example, as with bad username or password, the backup method is not tried. Example 11-17 shows the debug output for a bad username or password authentication.

    Example 11-17. Debug Output for AAA When Bad Username or Password Is Entered

    2005 Mar 29 15:39:14.490 AAA/AUTHEN: update_user user='' ruser='(null)' port='telnet146' rem_addr='10.1.1.20' authen_type=1 service=LOGIN priv=1 2005 Mar 29 15:39:14.490 AAA/AUTHEN/START (0): port='telnet146' list='(null)' action=LOGIN service=LOGIN TAC+: send AUTHEN/START packet ver=192 id=599265646 TAC+: Opening TCP/IP connection to 10.1.1.40 TAC+: ver=192 id=599265646 received AUTHEN status = GETUSER 2005 Mar 29 15:39:15.490 AAA/AUTHEN (599265646): status = GETUSER User Access Verification Username: 2005 Mar 29 15:39:17.800 AAA/AUTHEN: update_user user='admin123' ruser='(null)' port='telnet146' rem_addr='10.25.35.229' authen_type=1 service=LOGIN priv=1 2005 Mar 29 15:39:17.800 AAA/AUTHEN/CONT (599265646): continue_login 2005 Mar 29 15:39:17.800 AAA/AUTHEN (599265646): status = GETUSER TAC+: send AUTHEN/CONT packet id=599265646 TAC+: ver=192 id=599265646 received AUTHEN status = GETPASS 2005 Mar 29 15:39:18.300 AAA/AUTHEN (599265646): status = GETPASSPassword: 2005 Mar 29 15:39:20.890 AAA/AUTHEN/CONT (599265646): continue_login 2005 Mar 29 15:39:20.890 AAA/AUTHEN (599265646): status = GETPASS TAC+: send AUTHEN/CONT packet id=599265646 !The FAIL message indicates the either bad username or password invalid. TAC+: ver=192 id=599265646 received AUTHEN status = FAIL 2005 Mar 29 15:39:21.400 AAA/AUTHEN (599265646): status = FAIL % Authentication failed. 2005 Mar 29 15:39:21.400 

Enable Password Authentication

To authenticate enable access to the switch after the user logs into the switch, set this up on the switch and on the Cisco Secure ACS Server.

Configuration Steps

The following steps are required on the switch:

Step 1.

Turn on enable password authentication with local user database. This means that the enable access for the user will be authenticated with the enable password defined on the switch. If TACACS+ is configured as a primary method for authentication, then enable password will be used in case the TACACS+ server is unreachable. Example 11-18 shows how to turn on enable authentication with a local user database.

Example 11-18. Turning on Enable Authentication with a Local User Database on Switch

Switch> (enable) set authentication enable local enable Switch (enable) set enable Enter old password: Enter new password: cisco Retype new password: cisco Password changed. Switch (enable) 

Step 2.

Configure Enable parameters for users and groups on CS ACS.

Turn on Advanced TACACS+ Features by browsing to Interface Configuration and selecting TACACS+ (Cisco IOS). Then check Advanced TACACS+ Features under Advanced Configuration Options setting. Click Submit. Under the Enable Options of User/group setup, deselect No Enable Privilege and select the desired enable privilege level either based on AAA client or Network Device Group (NDG).

To authenticate the enable password with a separate password other than the login password, you can go to the TACACS+ Enable Password section of user setup and set up a password that differs from the user's actual login password.

Step 3.

Configure TACACS+ for enable password authentication as shown in Example 11-19.

Example 11-19. Configuration to Turn on Enable Authentication

Switch (enable) set authentication enable tacacs enable Switch (enable) 

Troubleshooting Steps

Troubleshooting steps for the Enable password authentication are the same as for login authentication. Following are some of the important points to be aware of when using enable password authentication:

  • Enable Authentication is not turned on on the switch Turn on enable authentication on the switch to use the TACACS+ server. By default, enable authentication with the enable password is turned on. If the TACACS+ server is down, enable password is used as a backup if the enable login with enable password is enabled.

  • Enable Password is not defined on the CS ACS When configuring a user profile, either use the same password as the login or define a separate password for enable access under the "TACACS+ Enable Password" section. Also, you must define "Max Privilege for any AAA Client" under "Advanced TACACS+ Settings."

Authorization

Authorization comes after successful user authentication. There are two ways to perform authorization. The following sections explain how to perform the configuration and how to troubleshoot.

Configuration Steps

Two types of authorization can be configured on the switch. The first is TACACS+ Exec Authorization:

  • TACACS+ Exec Authorization Just as with a router, it's possible to send the authorization request for the enable access before the switch allows the users to log in so that the user doesn't need to enter the enable password to get to the enable mode (the user will be taken directly to the enable mode). This applies to both the console and the Telnet session. Example 11-20 shows how to turn on exec authorization using TACACS+ protocol.

    Example 11-20. Turning on Exec Authorization

    Switch (enable) set authorization exec enable tacacs+ none both Switch (enable) 

    You must configure shell/exec for the user profile under TACACS+ server.

    This is especially useful when you want to bypass the enable password authentication either locally or via the AAA server. It is also useful if you want to prevent users, such as PPP users, from logging into the switch without shell/exec service configured on the server. PPP users will get the following message:

    Exec mode authorization failed. 

    In addition to permitting/denying exec mode for users, users can be forced into enable mode when entering by having privilege level 15 assigned on the server. It is important to note that this feature is available on version 5.5(3), 6.1(1), and above.

    As stated previously, two types of authorization can be configured on the switch. The second is TACACS+ Command Authorization, which is discussed next:

  • TACACS+ Command Authorization Command authorization is also possible on the switch just as it is with routers. Example 11-21 shows the configuration required for command authorization using TACACS+. In the event that the TACACS+ server is down, authentication is configured as none. Both keywords signify that command authorization is turned on for both console and Telnet sessions.

    Example 11-21. Configuration Required for Command Authorization

    Switch (enable) set authorization commands enable config tacacs none both Switch (enable) 

    Once you turn on command authorization on the switch, you must configure the TACACS+ server for the command authorization to allow set port enable 2/8.

Troubleshooting Steps

Troubleshooting steps for authorization are the same as for authentication. If authorization fails, you must turn on the set trace tacacs 4 command to see the debug on the switch. You also need to analyze the log of the AAA server. This section explains the problems you may encounter specifically with the authorization configured on the switch:

  • User is not taken directly to the Enable Mode On the switch, the authorization exec command must be turned on. Also, you must ensure that your switch version supports the privilege level download feature from the AAA server you are running, so that you can be taken directly to the enable mode after authentication. (See Table 11-3 for the version information of the TACACS+ Exec Authorization feature.) On the CS ACS, you must have the Exec turned on for the user/group profile with privilege level set to greater than 1.

  • Command Authorization is not working First you need to be sure that the authorization is turned on either for exec or commands. Then check the configuration of the CS ACS to see if the system is properly configured for the commands. Run the trace command to identify the commands that are being parsed by the CS ACS server. Finally, match the command authorization syntax defined on the CS ACS server.

Accounting

Accounting can be turned on for authentication and for authorization. The section that follows has configuration and troubleshooting steps for accounting.

Configuration Steps

To turn on accounting on the switch with TACACS+ protocol, use the following options:

  • To collect exec level log (for instance, user getting switch prompt), execute set accounting exec enable start-stop tacacs+.

  • To collect the information about connection/disconnection information (for example, users' disconnection out of the switch), configure set accounting connect enable start-stop tacacs+.

  • To capture system-related messages (for instance, a reboot of the switch), turn on set accounting system enable start-stop tacacs+.

  • To capture which commands users are executing on the switch, issue the following command: set accounting commands enable all start-stop tacacs+.

  • To remind the server of a task (for example, to update records once every minute to make sure a user is still logged in), configure set accounting update periodic 1.

Troubleshooting Steps

Accounting problems arise mostly if certain attributes are not being logged to the CS ACS server. For this, turn on trace to see what information is being sent as a form of accounting to the CS ACS server. Examining the log on the CS ACS server will reveal if the problem lies there or not.

Identity-Based Network Services (IBNSs)

Turning on dot1x protocol on the switch port also enables user authentication and machine authentication for the Microsoft Windows Networking environment. You can avoid machine authentication, but when using Microsoft AD, it's not recommended, as this may break the GPO model for AD.

Here are some important points to note when turning on machine authentication:

  • The computer must be a member of the domain.

  • If using TLS, the computer must obtain a certificate, either through auto-enrollment (see the case study) or manually.

  • If using PEAP or TLS, be sure that the certificate of the certificate authority (CA) is in the local machine store; typically, it is added if the CA is up when the machine is added to the domain. If not, you can force the certificate to be in the local machine store via auto-enrollment (see the "Case Studies" section).

  • Click the check box for the Authenticate as Computer option.

There are two ways to turn on machine authentication:

  • Machine Auth Using PEAP Uses account information for the computer created at the time the machine is added to the domain. Hence, the computer must be a member of the domain. If doing mutual authentication, the computer must trust the signing CA of the RADIUS server's certificate.

  • Machine authentication using EAP-TLS Authenticates the computer using certificates. The computer must have a valid certificate. If doing mutual authentication, the computer must trust the signing CA of the RADIUS server's certificate. The easiest way to implement machine authentication is by using MS-CA and Windows GPOs. This may require a DHCP lease renewal after authentication.

    Machine authentication using EAP-TLS is not automatic and must be scripted or done manually.

Configuration Steps

You need to configure several devices for successful PEAP Machine Authentication.

Installation of Certificate

The following are the certificates required for Machine Authentication with PEAP:

  • On the supplicant, install a machine certificate from Active Directory (AD) (refer to the case study), and the CA Root Certificate as shown in the "Case Studies" section. The CA used is Microsoft Enterprise CA Server.

  • On the ACS, install ACS Server certificate, and the CA root certificate. The procedures are shown in the "Case Studies" section.

Configuration of Authenticator (Switch)

On the Authenticator (Switch) follow these steps for Hybrid mode (Cat OS):

Step 1.

Define Global Commands as shown in Example 11-22.

Example 11-22. Global Commands Required Turning on dot1x

Switch# !RADIUS configuration set radius server <ip_address> auth-port 1812 primary set radius key <key> !Global 802.1x configuration set dot1x system-auth-control enable set dot1x quiet-period 10 (default: 30) set dot1x tx-period 10 (default: 30) set dot1x supp-timeout 5 (default: 30) set dot1x server-timeout 5 (default: 30) set dot1x max-req 4 (default: 2) set dot1x re-authperiod !Global 802.1x Guest VLAN (CatOS 7.6+) set dot1x guest-vlan <vlan> 

Step 2.

Define per-port commands on the switch as shown in Example 11-23.

Example 11-23. Per-Port command to Turn on dot1x

Switch# !Port Level 802.1x configuration set port dot1x <mod/port> port-control auto set port dot1x <mod/port> port-control force-authorized set port dot1x <mod/port> multiple-host enable/disable set port dot1x <mod/port> re-authentication enable/disable !Port Level 802.1x Guest VLAN (CatOS 8.3+) set port dot1x <mod/port> guest-vlan {vlan | none} 

The following configuration is needed on the Native IOS:

Step 3.

The Global Commands needed are shown in Example 11-24.

Example 11-24. Global Configuration needed with Native IOS

Switch# !RADIUS configuration radius-server host <ip_address> radius-server key <key> aaa new-model aaa authentication dot1x default group radius aaa authorization default group radius aaa authorization config-commands !802.1x Global Commands dot1x system-auth-control dot1x max-req dot1x timeout quiet-period dot1x timeout tx-period dot1x timeout re-authperiod dot1x re-authentication IOS Commands based on Per-Port are shown below for Native IOS Switch# !IOS Per-port configuration dot1x port-control auto !IOS Per-port Guest VLAN dot1x guest-vlan <vlan> Switch# 

Configuration of Supplicant

The following steps are used to configure supplicant:

Step 1.

Open Network Connections.

Step 2.

Right-click Local Area Connection and then click Properties.

Step 3.

Click Authentication, and then check Enable IEEE 802.1x authentication for this network. For EAP type, select PEAP, check Authenticate as computer when Computer Information is Available.

Step 4.

Click PEAP Properties. On the next window under When Connecting, select Validate Server Certificate. Under Trusted Root Certificate Authorities, check the Root CA you have installed on the client. Under Select Authentication Method, choose Secure Password (EAP-MSCHAP v2). Click on Configure and choose Automatically Use my Windows Logon name and password (and domain if any).

Configuration of ACS Server

The following are step-by-step procedures for ACS configuration for the PEAP Authentication:

Step 1.

Install the ACS Server Certificate and the CA Server Certificate on the ACS Server (refer to the "Case Studies" section towards the end of this chapter).

Step 2.

Log in to ACS, and then browse to Network Configuration. Click Add Entry.

Step 3.

Enter a Network Device Group Name and click Submit.

Step 4.

Click on the new created Network Device Group and click on Add Entry.

Step 5.

Fill in the switch name, IP address, and key (shared secret you've entered on switch). Also, under Authenticate Using, select RADIUS (Cisco Aironet) which includes RADIUS Internet Engineering Task Force (IETF) attributes.

Step 6.

Click on the Submit+ Restart button.

Step 7.

Click on External User Database > Database Configuration > Windows Database > Configure.

Step 8.

In the "Windows User Database Configuration" page under the Configure Domain List, move Domains from Available Domains to Domain List.

Step 9.

In the same pages as Step 8, under the Windows EAP Settings, enter a check to indicate if the password change inside PEAP is allowed. This setting does not apply to PEAP-GTC. Note that you should not change the machine authentication name prefix. Currently MS uses host/ to distinguish between user and machine authentication.

Step 10.

Click Submit.

Step 11.

Click on External User Database > Unknown User Policy. Check the Check the following external user databases button and move the Windows Database to right under Selected Databases.

Step 12.

Click Submit.

Step 13.

Select Group Setup > Default Group and click on Edit Settings.

Step 14.

Scroll down to Radius IETF Attributes and check Attribute 27 (Session Timeout). Set it to 60 seconds.

Step 15.

Click on Submit and then Restart.

Step 16.

Go to System Configuration> Global Authentication Setup.

Step 17.

Select which EAP authentication will be enabled. (for example, PEAP-MS-CHAPv2 is selected.)

Step 18.

Click Submit and then Restart.

Authorization

Dynamic VLAN can be assigned to the port after successful user authentication. This is accomplished with an IETF RADIUS AV pair. If the switch is running Native IOS, configure authorization with aaa authorization network default group radius to apply the dynamic VLAN downloaded from CS ACS. However, if you are running Cat OS, then you do not have to turn on authorization; authentication is sufficient. Following is the list of AV pairs used for configuring user or group profiles on CS ACS to assign dynamic VLAN to the port where the supplicant is connected:

  • [64] Tunnel-Type "VLAN" (13)

  • [65] Tunnel-Medium-Type "802" (6)

  • [81] Tunnel-Private-Group-ID <VLAN name>

On CS ACS, if you do not see these attributes under user or group profile, then browse to Interface Configuration > RADIUS (IETF) and select the attributes in the previous list for a user or group or for both. Then go under the user or group setup and define the attributes as listed previously. For attribute [81] Tunnel-Private-Group-ID<VLAN name>, you must define a VLAN name, not the VLAN ID. On the switch, you must have the same name with a VLAN ID tied to it.

Troubleshooting Steps

The following troubleshooting steps may help you in isolating a dot1x implementation on the switch.

On the Windows Client

To get the debug level logging, follow these steps on the Windows client:

Step 1.

Choose Start > Run, and then type cmd in the text box, which will cause a DOS prompt to display.

Step 2.

Enter netsh ras set tracing * enabled to turn on debugging.

Step 3.

Run the Authentication test.

Step 4.

Analyze the debug messages on the client.

The debug information on the client will go into different directories depending on whether you are using Windows XP or Windows 2000. For Windows XP, the debug information will go into <installation drive>:\WINDOWS\tracing. For Windows 2000, it will go to <installation drive>:\WINNT\tracing.

Step 5.

Table 11-4 shows files and what goes into those files.

Table 11-4. Files in the Tracing Directory and Information That Goes into Those Files

Files Name

Description

RASTLS.LOG

MS-PEAP phase 1TLS

CISCOEAPPEAP.LOG

Cisco-PEAP phase 1TLS

RASCHAP.LOG

MS-PEAP phase 2MS-CHAP

EAPOL.LOG

Whole EAP communication


Step 6.

After you finish with the test, be sure to turn off tracing by using this commandnetsh ras set tracing * disable.

Step 7.

Analyze the client logs to be sure that the EAP packet is sending the proper credentials to the switch.

Step 8.

If an error condition is reported, go through the client settings to ensure that all the authentication types and parameters are set up correctly.

Step 9.

Once the client log indicates that everything is set up correctly, and EAP packets are forwarding the information to the Authenticator, the next step is to look at the Authenticator debug.

For more details on how to analyze the client log, refer to: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx

On the Authenticator (Switch) Side

On the switch you can run debug commands to see the EAPOL packet exchange between the client and the switch. The debug command to capture the information on the Catalyst OS is set tracing dot1x <0-15>. Note that 15 is a full debug, including packet dump. Be sure to turn it off once you are finished.

In Native IOS, the command to turn on debug is debug dot1x <backend | fesm | besm | CR>, which turns on debugging for the authenticator process. To capture the debug output of the communication between the Authenticator (Switch) and the AAA Server, run the AAA-related debug command, which was discussed in the "Diagnostic Commands and Tools" section of this chapter for Cat OS. For Native IOS, refer to Chapter 9, "Troubleshooting AAA on IOS Routers."

Example 11-25 shows a successful authenticated debug output on the switch.

Example 11-25. Successful debug Output Session When PEAP or EAP-TLS Is Used

2005 Mar 29 00:52:13 %PAGP-5-PORTTOSTP:Port 2/2 joined bridge port 2/2 ! Authentication is starting here.. 2005 Mar 29 00:53:05 %SECURITY-7- DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for port 2/ 2 is AUTHENTICATING 2005 Mar 29 00:53:05 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:06 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:08 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:08 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:09 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:09 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:09 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:10 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:10 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:11 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:11 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:12 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is REQUEST 2005 Mar 29 00:53:12 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is RESPONSE 2005 Mar 29 00:53:13 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is SUCCESS 2005 Mar 29 00:53:13 %SECURITY-7- DOT1X_BACKEND_STATE:DOT1X: backend state for port 2/2 is FINISHED 2005 Mar 29 00:53:13 %SECURITY-5- DOT1X_AUTHENTICATION_SUCCESS:Authentication successful for port 2/2 !Port is successfully authorized here, which means actual traffic from supplicant may !flow now 2005 Mar 29 00:53:14 %SECURITY-5-DOT1X_PORT_AUTHORIZED:DOT1X: port 2/2 authorized 2005 Mar 29 00:53:14 %SECURITY-7- DOT1X_AUTHENTICATOR_STATE:DOT1X: authenticator state for port 2/ 2 is AUTHENTICATED 

On the Authentication Server Side

The AAA server, for instance Cisco Secure ACS on Windows, has an extensive logging facility, which allows you to analyze the failure by the server or an external user database. For more details about server-side troubleshooting, refer to Chapter 13, "Troubleshooting Cisco Secure ACS on Windows," in particular the section on "CS ACS with Active Directory Integration." In summary, you need to go under Reports and Activity and then to Failed Attempt. For a more detailed analysis of the log, analyze the auth.log file, which is explained in detail in Chapter 13. Example 11-26 shows the RDS.log file logging output.

Example 11-26. RDS.log for Successful Authentication When PEAP/EAP-TLS Is Used

! Following shows the packets and RADIUS attributes received from the Switch Request from host 10.1.1.1:1812 code=1, id=245, length=99 on port 2341     [001] User-Name   value:  eaptls@acs.cisco     [004] NAS-IP-Address     value:  10.1.1.1     [012] Framed-MTU   value:  1000     [079] EAP-Message   value:  .....eaptls@acs.cisco     [080] Message-Authenticator        value: 6A 0A E3 64 4C D3 19 F2 AB 66 BB 0E 78 B5 CD 1A ExtensionPoint: Initiating scan of configured extension points... ExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF) ], skipping... ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP] ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [11 -  challenge] ! EXTRA STUFF REMOVED Request from host 10.1.1.1:1812 code=1, id=251, length=112 on port 2341     [001] User-Name   value:  eaptls@acs.cisco     [004] NAS-IP-Address     value:  10.1.1.1     [012] Framed-MTU   value:  1000     [024] State        value:  CISCO-EAP-CHALLENGE=0.202.77.6     [079] EAP-Message  value:  .\Q....     [080] Message-Authenticator        value: 78 7F 6F 6E E2 65 D7 47 87 78 34 C0 3D FB 52 1A ExtensionPoint: Initiating scan of configured extension points... ExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF) ], skipping... ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EAP] ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [4 -  accept_continue] ExtensionPoint: Start of Attribute Set     [079] EAP-Message  value:  .a..     [026] Vendor-Specific vsa id: 311           [016] MS-MPPE-Send-Key         value:  ).5.__~._Lá_2ûQ.à.._.>¢m_Æ_ä_#"....å.T_,__M_...¿_.     [026] Vendor-Specific vsa id: 311           [017] MS-MPPE-Recv- Key    value:  #Hï$N=XÄ._..u_ì.Uá_8.Éí ...ñ_..._..__>__xë ExtensionPoint: End of Attribute Set AuthorExtensionPoint: Initiating scan of configured extension points... AuthorExtensionPoint: Supplier [Cisco Aironet] not associated with vendor [RADIUS (IETF)], skipping... AuthorExtensionPoint: Supplier [Cisco Downloadable ACLs] not associated with vendo r [RADIUS (IETF)], skip ping... ! The following lines are the RADIUS response packet with AV pair after successful ! authentication Sending response code 2, id 251 to 10.1.1.1 on port 2341     [064] Tunnel-Type   value: [T1] 13     [081] Tunnel-Private-Group-ID   value: [T1] 2     [008] Framed-IP-Address    value: 255.255.255.255     [079] EAP-Message  value:  .a..     [026] Vendor-Specific vsa id: 311           [016] MS-MPPE-Send-key         value: ).5.__~._Lá_2ûQ.à.._.>¢m_Æ_ä_#"....å.T_,__M_...¿_.     [026] Vendor-Specific vsa id: 311           [017] MS-MPPE-Recv-Key         value:  #Hï$N=XÄ._..u_ì.Uá_8.Éí ...ñ_..._..___(_>__xë



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net